JPCERT-AT-2016-0026
JPCERT/CC
2016-06-17
<<< JPCERT/CC Alert 2016-06-17 >>>
Vulnerabilities in Adobe Flash Player (APSB16-18)
https://www.jpcert.or.jp/english/at/2016/at160026.html
I. Overview
Adobe Flash Player contains multiple vulnerabilities. A remote
attacker may cause Adobe Flash Player to crash or execute arbitrary
code by convincing a user to open specially crafted contents
leveraging these vulnerabilities. For more information on the
vulnerabilities, please refer to the information provided by
Adobe Systems.
Security Updates Available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
This security updates address vulnerability publicized in APSA16-03 on
June 14, 2016 (local time) by Adobe Systems. According to Adobe Systems,
attacks leveraging this vulnerability have been observed in the wild.
Please apply the security updates as soon as possible.
II. Affected Products
The following versions are affected by these vulnerabilities:
- Adobe Flash Player Desktop Runtime (21.0.0.242) and earlier
(Internet Explorer, Mozilla Firefox, Safari etc.)
- Adobe Flash Player for Google Chrome (21.0.0.242) and earlier
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (21.0.0.242) and earlier
(Windows 10 and Windows 8.1)
III. Solution
Please update Adobe Flash Player to the latest version listed below:
- Adobe Flash Player Desktop Runtime (22.0.0.192)
(Internet Explorer, Mozilla Firefox, Safari etc.)
- Adobe Flash Player for Google Chrome (22.0.0.192)
- Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (22.0.0.192)
(Windows 10 and Windows 8.1)
Adobe Flash Player Download Center
https://get.adobe.com/jp/flashplayer/
Users can check the version of Adobe Flash Player that they are
using at the following link:
Adobe Flash Player:Version Information
https://www.adobe.com/jp/software/flash/about/
Note that the following browsers contain Adobe Flash Player by default.
- Google Chrome
- Internet Explorer 11 (Windows 8.1 and Windows 10)
- Microsoft Edge (Windows 10)
For Internet Explorer 11 and Microsoft Edge, the latest version of
Adobe Flash Player will be applied through Windows Update etc.
Also, the latest version of Adobe Flash Player will be updated when
Google Chrome is updated. For more information, please refer to
the following:
MS16-083
Security Update for Adobe Flash Player (3167685)
https://technet.microsoft.com/library/security/MS16-083
* Even if you use a web browser other than Internet Explorer, there is
software that uses Adobe Flash Player installed for Internet
Explorer, such as Microsoft Office, so please update Adobe Flash
Player for Internet Explorer.
IV. Workaround
As a temporary countermeasure until a security update can be
applied, please consider the following workaround to mitigate
impacts of the vulnerability. Applying these countermeasures may affect
other applications. Please carefully consider and test any side effects
prior to applying any of the workaround.
- Limit the Flash content
Please disable Flash on your browser or enable Click-to-Play
features.
- Open the security tab from "Internet Options" in Internet Explorer
and change the security level to "High" for the Internet zone and
local intranet zone.
V. References
Adobe Product Security Incident Response Team (PSIRT) Blog
Security updates available for Adobe Flash Player (APSB16-18) and Adobe AIR (APSB16-23)
http://blogs.adobe.com/psirt/?p=1371
Adobe Systems
Security Advisory for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
Adobe Systems
Security Advisory for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
Microsoft Security Bulletin MS16-083 - Critical
Security Update for Adobe Flash Player (3167685)
https://technet.microsoft.com/library/security/MS16-083
Kaspersky Lab
CVE-2016-4171 Adobe Flash Zero-day used in targeted attacks
https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/
Information-technology Promotion Agency, Japan
Regarding the solution for Adobe Flash Player vulnerability (APSA16-03)(CVE-2016-4171) (Japanese)
https://www.ipa.go.jp/security/ciadr/vul/20160615-adobeflashplayer.html
If you have any information regarding this alert, please contact JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top